Case Details
- Citation: [2024] SGPDPC 1
- Court: Personal Data Protection Commission
- Date: 2024-05-23
- Judges: Not specified
- Plaintiff/Applicant: Not specified
- Defendant/Respondent: Horizon Fast Ferry Pte. Ltd.
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2024] SGPDPC 1
- Judgment Length: 11 pages, 2,267 words
Summary
In this case, the Personal Data Protection Commission (PDPC) found that Horizon Fast Ferry Pte. Ltd., a Singapore-based ferry operator, had failed to implement reasonable security arrangements to protect the personal data of its customers, in breach of the Personal Data Protection Act 2012 (PDPA). The breach occurred when valid credentials to the organization's Ubuntu operating system root account were misused to gain unauthorized access and exfiltrate the personal data of over 100,000 individuals who had booked tickets on the company's website.
The PDPC determined that Horizon Fast Ferry's failures included poor vendor management, lack of an ICT policy covering critical IT security aspects, and failure to implement adequate security solutions on its web server. The organization was ordered to take various remedial actions to improve its data protection practices.
This case highlights the importance for organizations to have robust data protection measures in place, including clear policies and procedures for managing IT vendors and securing their IT infrastructure, in order to fulfill their obligations under the PDPA.
What Were the Facts of This Case?
On 25 April 2023, Horizon Fast Ferry Pte. Ltd. (the "Organization"), a Singapore-based ferry operator, notified the PDPC that there had been unauthorized access and exfiltration of the personal data of 108,488 individuals who had booked tickets on the Organization's website from its server (the "Incident"). The personal data affected included the individuals' name, passport number, date of birth, passport issue and expiry date, nationality, email address (if provided), and telephone number (if provided).
The Organization admitted that the Incident occurred because valid credentials to its Ubuntu operating system root account, which is akin to a super-user account, had been misused to gain unauthorized access to the personal data in the Organization's possession and/or control. The root account access had initially been granted to a contractor, Contractor I, to set up the Organization's website in 2019. When Contractor I claimed the root account was no longer accessible, the Organization's IT Supervisor, who was informally provided by an overseas IT vendor, the IT Support Vendor, assumed the account was no longer active.
However, when the Organization terminated its website maintenance contract with another contractor, Contractor II, in November 2022, the root account credentials remained active and were used to gain unauthorized access to the Organization's system. The IT Supervisor was again unable to verify if the root account credentials had been disabled or reassigned to him.
The Organization admitted that the IT Supervisor's lack of familiarity with the Ubuntu operating system led him to mistakenly believe the root account was no longer active, and that the contractors had only been able to login to the Organization's system through a different customer account.
What Were the Key Legal Issues?
The key legal issue in this case was whether Horizon Fast Ferry had breached its obligations under section 24 of the Personal Data Protection Act 2012 (PDPA) to protect the personal data in its possession or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, or disposal.
As the Organization was in possession of its customers' personal data, it was required to comply with all the data protection obligations under the PDPA, including the protection obligation under section 24, regardless of whether it had engaged a data intermediary or external IT vendors to handle the data.
How Did the Court Analyse the Issues?
In analyzing the issues, the PDPC Deputy Commissioner found that Horizon Fast Ferry had failed to implement reasonable security arrangements to protect the personal data in its possession or control, and thus acted in breach of section 24 of the PDPA.
Specifically, the PDPC found that the Organization failed to:
- Ensure proper management of the IT Support Vendor by having written policies and procedures for vendor management.
- Implement an Information and Communications Technology (ICT) policy that covers the critical aspects of IT security.
- Ensure that adequate security solutions were implemented for its web server.
Regarding vendor management, the PDPC noted that the Organization did not have any written policies or procedures, nor a formal contractual agreement, defining the responsibilities and competencies required of the IT Support Vendor. This led to the Organization being unaware that the root account credentials had remained active even after the termination of the website maintenance contract with Contractor II.
The PDPC also found that the Organization's lack of an ICT policy covering critical IT security aspects, such as account and access control, password management, and hardening and patching, contributed to the security failures that allowed the unauthorized access to occur.
Additionally, the PDPC determined that the Organization's failure to implement basic security solutions, such as firewalls, on its web server further exacerbated the vulnerabilities that led to the data breach.
The PDPC emphasized that organizations engaging outsourced service providers must have clear agreements and procedures in place to ensure the proper management of such vendors and the protection of personal data, in line with the PDPA's requirements.
What Was the Outcome?
Based on its findings, the PDPC determined that Horizon Fast Ferry had breached section 24 of the PDPA by failing to implement reasonable security arrangements to protect the personal data in its possession or control.
The PDPC ordered Horizon Fast Ferry to take the following remedial actions:
- Engage a cyber incident response vendor to perform digital forensics investigations and implement all recommended improvements to its cybersecurity.
- Engage a vendor to develop a new website and conduct penetration testing to rectify identified vulnerabilities.
- Train its managers and the IT Support Vendor and current web development vendor on the obligations and requirements of the PDPA.
- Enter into a written agreement with the IT Support Vendor for the access and management of the Organization's systems and website, requiring the vendor to designate a staff member with the relevant IT knowledge.
- Enhance its internal guidelines on data protection and develop guidelines and protocols for its vendors, outlining procedures for handling personal data and establishing processes for access, password management, and other security measures.
Why Does This Case Matter?
This case is significant as it highlights the importance for organizations to have robust data protection measures in place, particularly when engaging external IT vendors and service providers, in order to fulfill their obligations under the PDPA.
The PDPC's findings emphasize that organizations cannot simply rely on the goodwill of informal IT support arrangements or assume that contractors have properly secured access to their systems. Organizations must have clear policies, procedures, and contractual agreements in place to ensure the proper management of vendors and the adequate protection of personal data under their control.
This case serves as a valuable precedent for organizations to review and strengthen their data protection practices, including their vendor management processes and implementation of comprehensive ICT policies and security solutions. Failure to do so can result in significant data breaches and enforcement actions by the PDPC, as demonstrated in this case.
Legislation Referenced
Cases Cited
- [2024] SGPDPC 1
- [2017] PDP Digest 133 (Re Smiling Orchid (S) Pte Ltd)
Source Documents
This article analyses [2024] SGPDPC 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.